Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[HOLD FOR v1.4.2] Pod exec samples; mutation for imagePullSecrets #77

Merged
merged 20 commits into from Aug 8, 2021
Merged

[HOLD FOR v1.4.2] Pod exec samples; mutation for imagePullSecrets #77

merged 20 commits into from Aug 8, 2021

Conversation

chipzoller
Copy link
Member

@chipzoller chipzoller commented Jul 15, 2021
edited

Closes kyverno/kyverno#2151
Closes kyverno/kyverno#1069
Closes #64
Closes #78
Closes #79
Closes kyverno/kyverno#2189
Closes kyverno/kyverno#2239

Adds:

  • Pod mutation policy to add imagePullSecrets
  • Pod mutation policy to add imagePullPolicy=Always
  • Node label creation restriction
  • 5 policies to deny Pod exec operations based on the CONNECT option in Kyverno v1.4.2
  • Image verification policy for Cosign in Kyverno v1.4.2
  • Validate policy to drop CAP_NET_RAW

Changes:

@chipzoller
add "add imagePullSecrets" mutation policy
fbc0498 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@chipzoller
add Pod exec policies for Kyverno v1.4.2
fb81f0d 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@chipzoller chipzoller added sample Sample policy hold labels Jul 15, 2021
@chipzoller chipzoller added this to the 1.4.2 milestone Jul 15, 2021
@chipzoller
Change enforce mode to audit for all validate policies
b250403 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@chipzoller
add "add default securityContext" policy
fe913ea 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@chipzoller
revamped all policy descriptions
2c399ec 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@chipzoller
Merge branch 'kyverno:main' into main
5496386
@chipzoller chipzoller mentioned this pull request Jul 21, 2021
Closed
@chipzoller
update "replace image registry" with new regex
f410966 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@chipzoller
make reference to app label consistent
e836c68 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@chipzoller
add "restrict node label creation" policy
bfb700d 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@chipzoller
fix name to be accurate
7e45f5b 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@chipzoller
add "always pull images"
99fb844 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@chipzoller chipzoller mentioned this pull request Jul 29, 2021
Closed
JimBugwadia
JimBugwadia requested changes Jul 30, 2021
View reviewed changes
Copy link
Member

@JimBugwadia JimBugwadia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good. minor comments / nits.

best-practices/add_ns_quota.yaml Outdated Show resolved Hide resolved
best-practices/add_ns_quota.yaml Outdated Show resolved Hide resolved
best-practices/require_pod_requests_limits/require_pod_requests_limits.yaml Outdated Show resolved Hide resolved
best-practices/restrict_image_registries/restrict_image_registries.yaml Outdated Show resolved Hide resolved
best-practices/restrict_image_registries/restrict_image_registries.yaml Outdated Show resolved Hide resolved
other/block_updates_deletes.yaml Outdated Show resolved Hide resolved
other/disallow_localhost_services/disallow_localhost_services.yaml Outdated Show resolved Hide resolved
other/limit_containers_per_pod.yaml Outdated Show resolved Hide resolved
@chipzoller
Copy link
Member Author

All good feedback, thank you. I'll work on them. For generating the website MD, I'm thinking this is the first case where we can merge these into all effective release branches because the policies themselves carry the minversion annotation, and we want all branches to, for example, pick up the enhanced descriptions added above. So the release versioning instructions should probably carry some instructions for these cases as well.

@chipzoller
address feedback
9936609 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@chipzoller
improve "restrict_ingress_host" to catch multiple rules
357a5d6 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@chipzoller
Copy link
Member Author

@JimBugwadia I think we can go ahead and approve/merge this if you're ok.

@chipzoller
add "verify image" policy
4d4368b 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@chipzoller
add "require drop cap_net_raw"
991abac 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@chipzoller
fix "require drop all" to conform to cap_net_raw
1985cd5 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@chipzoller
Copy link
Member Author

@JimBugwadia please provide review.

JimBugwadia
JimBugwadia requested changes Aug 8, 2021
View reviewed changes
Copy link
Member

@JimBugwadia JimBugwadia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good! a few suggestions.

pod-security/baseline/disallow-adding-capabilities/disallow-adding-capabilities.yaml Outdated Show resolved Hide resolved
other/block-pod-exec-by-namespace-label.yaml Outdated Show resolved Hide resolved
other/block-pod-exec-by-namespace.yaml Outdated Show resolved Hide resolved
@chipzoller
"This sample" to "This policy"
5a32067 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@chipzoller
improve message
3c05617 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@chipzoller
improve description
d4c181c 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@chipzoller
Copy link
Member Author

Addressed all feedback.

JimBugwadia
JimBugwadia requested changes Aug 8, 2021
View reviewed changes
Copy link
Member

@JimBugwadia JimBugwadia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one minor comment, ready to merge otherwise!

other/add_ndots.yaml Outdated Show resolved Hide resolved
@chipzoller
remove repeated "policy" in description
7b275c0 
Signed-off-by: Chip Zoller <chipzoller@gmail.com>
@JimBugwadia JimBugwadia merged commit 73b7140 into kyverno:main Aug 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JimBugwadia JimBugwadia JimBugwadia approved these changes

Assignees
No one assigned
Labels
hold sample Sample policy
Projects
None yet
Milestone
1.4.2
2 participants
@chipzoller @JimBugwadia